diff mbox series

openssh: Update to version 9.3p2 - Fixes CVE-2023-38408

Message ID 20230720160439.3433775-1-adolf.belka@ipfire.org
State Staged
Commit 45496ad1903a512b67be2119bd2ef4901330913d
Headers
Series openssh: Update to version 9.3p2 - Fixes CVE-2023-38408 |

Commit Message

Adolf Belka July 20, 2023, 4:04 p.m. UTC 
  - Update from version 9.3p1 to 9.3p2
- Update of rootfile not required
- Changelog
    9.3p2 (2023-07-19)
	This release fixes a security bug.
	Security
		Fix CVE-2023-38408 - a condition where specific libaries loaded via
		 ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
		 code execution via a forwarded agent socket if the following
		 conditions are met:
			* Exploitation requires the presence of specific libraries on
			   the victim system.
			* Remote exploitation requires that the agent was forwarded
			   to an attacker-controlled system.
		Exploitation can also be prevented by starting ssh-agent(1) with an
		 empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
		 an allowlist that contains only specific provider libraries.
		This vulnerability was discovered and demonstrated to be exploitable
		 by the Qualys Security Advisory team.
		In addition to removing the main precondition for exploitation,
		 this release removes the ability for remote ssh-agent(1) clients
		 to load PKCS#11 modules by default (see below).
		Potentially-incompatible changes
		 * ssh-agent(8): the agent will now refuse requests to load PKCS#11
		    modules issued by remote clients by default. A flag has been added
		    to restore the previous behaviour "-Oallow-remote-pkcs11".
		   Note that ssh-agent(8) depends on the SSH client to identify
		    requests that are remote. The OpenSSH >=8.9 ssh(1) client does
		    this, but forwarding access to an agent socket using other tools
		    may circumvent this restriction.

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 lfs/openssh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/lfs/openssh b/lfs/openssh
index 5a18edd70..83c94ffdc 100644
--- a/lfs/openssh
+++ b/lfs/openssh
@@ -24,7 +24,7 @@ 
 
 include Config
 
-VER        = 9.3p1
+VER        = 9.3p2
 
 THISAPP    = openssh-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@  objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d
+$(DL_FILE)_BLAKE2 = 38f8d4ada263112b318fafccabf0a33a004d8290a867434004eb3d37127c9bdabe6e0225fca9d6d68fb54338fec81dcc9313ca7c91d3a033311db44174dc9f6f
 
 install : $(TARGET)